[OpenAFS] PAM-AFS isn't working with openssh-3.7.1p1 (sun4x_58)

John Tang Boyland boyland@solomons.cs.uwm.edu
Wed, 17 Sep 2003 11:44:11 -0500

I installed the new version of openssh-3.7.1p1 on our Sparc Solaris
machines but it no longer seems to correctly get a PAG.
(We're using Openafs-1.2.10 with pam_afs from there.)
Our pam.conf entry (unchanged from openssh 3.4p1) is

sshd    auth requisite          pam_authtok_get.so.1
sshd    auth optional           pam_dhkeys.so.1
sshd    auth optional           pam_unix_auth.so.1
sshd    auth optional           pam_afs.so.1  try_first_pass  ignore_root

What happens is very interesting:
Authentication works in that the AFS password is sufficient
to enter the system, but then one gets a PAG assigned
arbitrarily from existing PAGs for that user on the machine,
and thus one gets the tokens (if any) for that PAG.

(I configured openssh --with-pam but without AFS support -- I'm
not trying to do token passing.)